Merge "Gate fix and update compute tests to adopt new policies"
diff --git a/patrole_tempest_plugin/policy_authority.py b/patrole_tempest_plugin/policy_authority.py
index 1defa6d..afa358a 100644
--- a/patrole_tempest_plugin/policy_authority.py
+++ b/patrole_tempest_plugin/policy_authority.py
@@ -186,9 +186,10 @@
}
)
LOG.warn(deprecated_msg)
- check_str = '(%s) or (%s)' % (default.check_str,
- deprecated_rule.check_str)
- return policy.RuleDefault(default.name, check_str)
+ default.check = policy.OrCheck(
+ [policy._parser.parse_rule(cs) for cs in
+ [default.check_str,
+ deprecated_rule.check_str]])
def get_rules(self):
rules = policy.Rules()
@@ -229,7 +230,7 @@
# The `DocumentedRuleDefault` object has no
# `deprecated_rule` attribute in Pike
if getattr(rule, 'deprecated_rule', False):
- rule = self._handle_deprecated_rule(rule)
+ self._handle_deprecated_rule(rule)
rules[rule.name] = rule.check
elif str(rule.check) != str(rules[rule.name]):
msg = ("The same policy name: %s was found in the "
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index 471d7da..f81262a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -20,6 +21,17 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
+CONF = config.CONF
+
+if CONF.policy_feature_enabled.changed_nova_policies_ussuri:
+ _SG_LIST = "os_compute_api:os-security-groups:list"
+ _SG_ADD = "os_compute_api:os-security-groups:add"
+ _SG_REMOVE = "os_compute_api:os-security-groups:remove"
+else:
+ _SG_LIST = "os_compute_api:os-security-groups"
+ _SG_ADD = "os_compute_api:os-security-groups"
+ _SG_REMOVE = "os_compute_api:os-security-groups"
+
class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
"""Tests non-deprecated security group policies. Requires network service.
@@ -55,7 +67,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_LIST])
@decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
def test_list_security_groups_by_server(self):
with self.override_role():
@@ -64,7 +76,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_ADD])
@decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
def test_create_security_group_for_server(self):
sg_name = self.create_security_group()['name']
@@ -78,7 +90,7 @@
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-security-groups"])
+ rules=[_SG_REMOVE])
@decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
def test_remove_security_group_from_server(self):
sg_name = self.create_security_group()['name']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index 7bdd3da..95544b4 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -36,11 +36,15 @@
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces:list"
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces:show"
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions:list"
+ _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password:show"
+ _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password:clear"
else:
_DEFERRED_FORCE = "os_compute_api:os-deferred-delete"
_ATTACH_INTERFACES_LIST = "os_compute_api:os-attach-interfaces"
_ATTACH_INTERFACES_SHOW = "os_compute_api:os-attach-interfaces"
_INSTANCE_ACTIONS_LIST = "os_compute_api:os-instance-actions"
+ _SERVER_PASSWORD_SHOW = "os_compute_api:os-server-password"
+ _SERVER_PASSWORD_CLEAR = "os_compute_api:os-server-password"
class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -493,7 +497,7 @@
@decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-server-password"])
+ rules=[_SERVER_PASSWORD_CLEAR])
def test_delete_server_password(self):
"""Test delete server password, part of os-server-password."""
with self.override_role():
@@ -502,7 +506,7 @@
@utils.requires_ext(extension='os-server-password', service='compute')
@rbac_rule_validation.action(
service="nova",
- rules=["os_compute_api:os-server-password"])
+ rules=[_SERVER_PASSWORD_SHOW])
@decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
def test_get_server_password(self):
"""Test show server password, part of os-server-password."""
diff --git a/releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml b/releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml
index 67f28bc..545c544 100644
--- a/releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml
+++ b/releasenotes/notes/adopt_nova_new_policies-c61d1c3751ff1bf9.yaml
@@ -13,3 +13,6 @@
- os_compute_api:os-instance-usage-audit-log
- os_compute_api:os-agents
- os_compute_api:os-hypervisors
+ - os_compute_api:os-instance-actions
+ - os_compute_api:os-security-groups
+ - os_compute_api:os-server-password